The WannaCry and NotPetya outbreaks were by far among the most significant digital attack campaigns that took place in 2017. Together, the crypto-ransomware and wiper malware affected hundreds of thousands of computers all over the world. They achieved this reach by abusing EternalBlue. Allegedly developed by the U.S. National Security Agency (NSA) and leaked online by the Shadow Brokers, EternalBlue exploits the Microsoft Server Message Block (SMB), which allowed WannaCry and NotPetya to move laterally from a single point of infection to other vulnerable network machines.
EternalBlue will forever enjoy the notoriety of WannaCry and NotPeta’s destruction. Even so, it’s not the only SMB-based exploit that the Shadow Brokers dumped online. There are three other exploits in particular that digital attackers might prefer over EternalBlue because of how they work. To make matters worse, these exploits have been rewritten and stabilized in a way that makes them effective against a wider range of still-unpatched Windows systems.
Indeed, a GitHub user known as “zerosum0x0” has written a post discussing EternalSynergy, EternalRomance, and EternalChampion. These exploits have been changed to work against all vulnerable targets Windows 2000 through 2016 along with all standard home and workstation counterparts.
MS17-010 #EternalSynergy #EternalRomance #EternalChampion exploit and auxiliary modules for @Metasploit. Support for Windows 2000 through 2016. I basically bolted MSF psexec onto @sleepya_ zzz_exploit. https://t.co/UnGA1u4gWe pic.twitter.com/Y9SMFJguH1
— zǝɹosum0x0? (@zerosum0x0) January 29, 2018
Each of the revised exploits boast remote command and code execution modules that rely on the zzz_exploit adaptation in that they exploit the SMB connection session structures to gain Admin/SYSTEM access. Unlike EternalBlue, EternalSynergy, EternalRomance, and EternalChampion do not use kernel shellcode to stage Meterpreter. Someone could still stage Meterpreter, a payload which comes with the Metasploit penetration testing software, but they would likely need to evade their payloads.
That’s not the only change that differentiates these three rewritten exploits from EternalBlue. As zerosum0x0 explains:
This module is highly reliable and preferred over EternalBlue where a Named Pipe is accessible for anonymous logins (generally, everything pre-Vista, and relatively common for domain computers in the wild).
Digital security vulnerability manager Kevin Beaumont has independently confirmed the effectiveness of EternalBlue, EternalSynergy, and EternalRomance against Windows 2000 to Windows Server 2016:
Big one: SMB exploit (fixed in MS17-010+) now ported to Windows 2000 up to Windows Server 2016, and all versions in between. Reliable, doesn’t cause BSOD like EternalBlue either. I’ve tried on Win2000 and XP. https://t.co/EZ96eFsV5C
— Kevin Beaumont (@GossiTheDog) January 29, 2018
The three exploits relate back to CVE-2017-0143 and CVE-2017-0146, two SMB vulnerabilities which Microsoft patched back in March 2017. Currently, there are two publicly known Metasploit modules that work with the vulnerabilities. Attackers can use those modules to exploit EternalBlue, EternalSynergy, EternalRomance, or EternalChampion to compromise vulnerable Windows machines.
With the ongoing improvements made to exploits like EternalSynergy, EternalRomance, and EternalChampion, Heimdal Security’s digital security evangelist Ioana Rijnetu has some important advice for those organizations and users that still haven’t updated their computers running Windows software:
It is worth mentioning that these exploits could have self-replicate abilities that enable to spread fast and impact lots of machines, so we urge you to apply all software patches available.
Of course, organizations have lots of different assets connected to their corporate IT environments, which means they deal with numerous vulnerabilities on an ongoing basis. To effectively handle all of those security flaws, companies need to invest in a vulnerability management solution that can help discover and profile all those assets. That resource should then prioritize those vulnerabilities based on the organization’s business needs.
For information on how Tripwire can help in this regard, click here.